Revoke certificates on locked out server


#1

I am in a bit of a pickle.

I have been moving my old web server over to DigitalOcean and in the process, I lost the ability to SSH into the old server. I can’t access it at all as something has gone horribly wrong with my .pem file, or I changed my public key somehow, and now I can’t get in.

Nonetheless, I’m not too worried about that server, it can be shut it down. I just need to be able to generate a new LetsEncrypt SSL certificate for the new server.

But, according to https://crt.sh/?q=sparkbuzz.co.za I have issued 4 certificates for sparkbuzz.co.za on 2018-06-04 which only expires in 2018-09-02.

…so this is causing a rate limit error:

“An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: sparkbuzz.co.za: see https://letsencrypt.org/docs/rate-limits/

Is there a way that I can revoke these certificates from the new server, or does this mean I am going to have to wait till 2018-09-02 to be able to regenerate a new certificate?

My domain is:
sparkbuzz.co.za

I ran this command:
certbot certonly --agree-tos --domain sparkbuzz.co.za --email josef.van.niekerk@gmail.com --non-interactive --staging --webroot --webroot-path /var/www/htdocs

It produced this output:
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: sparkbuzz.co.za: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version):
Nginx

The operating system my web server runs on is (include version):
Alpine Container running on Ubuntu host

My hosting provider, if applicable, is:
Afrihost

I can login to a root shell on my machine (yes or no, or I don’t know):
Not on the old server, login available on new server.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#2

:wave: Hi @sparkbuzz, sorry to hear about the trouble you’re having.

Unfortunately revocation does not affect rate limits. You shouldn’t worry about revoking these inaccessable certificates.

Since the rate limit you’re encountering is the “Duplicate Certificate” rate limit (See our rate limit docs for more info) you have one other work-around available to you: You can add another domain name to the certificate.

If you add a new subdomain to your website (test.sparkbuzz.co.za, sparkbuzz.sparkbuzz.co.za, anything!) and add that to the list of domain names you proivde to certbot you should be able to issue a new certificate because it won’t be an exact match for the 5 you issued already and can’t access.

Make sure if you’re using a container based solution that you persist Certbot’s certificates, private keys, and account information between runs or you’ll quickly find yourself hitting rate limits from issuing certificates over and over when the container restarts :slight_smile:

Hope this helps,


#3

In addition to what @cpu notes, there’s no rate limit for the number of currently-valid certs. The five that you show were generated two months ago and won’t affect any rate limits. Your problem is that you’ve generated five more within the last week, and that’s what’s tripping the limit. That limit will reset a week from the time the first cert was issued–or you can add another FQDN to the cert and issue away.


#4

Hi @sparkbuzz

crt.sh hangs, Google is better:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:sparkbuzz.co.za&lu=cert_search

You have 5 certificates created 2018-08-04 - 2018-08-05. That hit’s the limit.

Is it possible to use one of these?

What says

certbot certificates


#5

Weird thing is, I don’t recall doing certificate renewals for production, and I don’t have any cron tasks, I have been using --staging thus far. Is there a way to debug exactly what is causing the rate limit?


#6

The new server has only test certificates on it. The other valid certificate lies on the server I am locked out of.


#7

I could try this, but there’s only a test certificate on the new server.


#8

Test certificates are not logged (CT), so these certificates are productive certificates.

Then you have to wait. 2018-08-11 you can create the next certificate.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.